Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.
Microsoft discloses security breach of customer support database
The nature of the data appears to be that much of the personally identifiable information was redacted. However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential. This may seem like no big deal in the overall scheme of things, but when you consider that Microsoft support scams are pretty rampant, it doesn't take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks.
That posting also confirmed that the exposure of the database started on December 5, 2019, as the result of misconfigured security rules, and was remediated on December 31. The statement included an apology from Microsoft: "We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence."
Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics. While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.
In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between Dec.r 5 and Dec. 31.
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.
However, in cases where users filed customer support requests using non-standard formatted data such as ("name surname @ email domain com" instead of "name.surname@email.com") the data was not detected and redacted, and remained in the exposed database.
Over the New Year, Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
Microsoft has said that for these special cases, it has started to notify the customers whose data may have been exposed in the breach. The software and technology company also said that it is planning on implementing the following practices to help prevent such a breach in the future:
Microsoft disclosed a security breach caused by a misconfigured internal customer support database that led to the accidental exposure of roughly 250 million customer support and service records, some of them containing personally identifiable information.
Microsoft didn't get into details such as the number of records exposed, the type of database that was left unprotected, or the type of personal information that was left in the open, only that data in the support case analytics database was "redacted using automated tools to remove personal information."
While most of the records stored within the heavily-redacted internal customer support database used for support case analytics did not contain personal information, some non-standard PII wasn't anonymized.
However, Security Discovery's Cyber Threat Intelligence Director Bob Diachenko, the researcher who reported the exposed data to Microsoft was able to tell BleepingComputer that the 250 million customer support and service records were stored on five identical ElasticSearch clusters.
As he also revealed in a report published in collaboration with Comparitech, the records that weren't properly anonymized exposed customer email addresses, IP addresses, locations, CSS claims and case descriptions, Microsoft support agent emails, and internal notes marked as "confidential."
The software giant provided further details on the security breach in a blog post in which it said that the database was storing anonymized user analytics and was accidentally exposed online between December 5 and December 31.
According to Diachenko, the customer support database contained a cluster of five Elasticsearch servers that are used to help simplify search operations. All five servers stored the same data as they appear to be mirrors of each other.
The servers storing Microsoft's customer support database contained almost 250m entries including information such as email addresses, IP addresses and support case details. Thankfully though, most of the records did not contain any personal user information according to the company's blog post (opens in new tab), which reads:
The company's support team also reportedly told customers who reached out that it would not notify data regulators because "no other notifications are required under GDPR" besides those sent to impacted customers.
In addition, we share personal data among Microsoft-controlled affiliates and subsidiaries. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement. For example, companies we've hired to provide customer service support or assist in protecting and securing our systems and services may need access to personal data to provide those functions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose. We may also disclose personal data as part of a corporate transaction such as a merger or sale of assets.
General. When a customer tries, purchases, uses, or subscribes to Enterprise and Developer Products, or obtains support for or professional services with such products, Microsoft receives data from you and collects and generates data to provide the service (including improving, securing, and updating the service), conduct our business operations, and communicate with the customer. For example:
Microsoft uses the data we collect from enterprise and developer software and enterprise appliances to provide and improve our products, to deliver customer support, to activate the product, to communicate with you, and to operate our business.
You can unlink your Android phone from your Windows device at any time by logging in with your Microsoft account at accounts.microsoft.com/devices and updating the Settings on your Android phone. For detailed information, see our support page.
Access to customer data by Microsoft operations and support personnel is denied by default. When access to data related to a support case is granted, it is only granted using a just-in-time (JIT) model using policies that are audited and vetted against our compliance and privacy policies. The access-control requirements are established by the following Azure Security Policy:
Data sovereignty implies data residency; however, it also introduces rules and requirements that define who has control over customer data stored in the cloud. In many cases, data sovereignty mandates that customer data be subject to the laws and legal jurisdiction of the country or region in which data resides. These laws can have direct implications on data access even for platform maintenance or customer-initiated support requests. You can use Azure public multi-tenant cloud in combination with Azure Stack products for on-premises and edge solutions to meet your data sovereignty requirements, as described later in this article. These other products can be deployed to put you solely in control of your data, including storage, processing, transmission, and remote access.
As explained in Data encryption at rest section, your data is encrypted at rest by default when stored in Azure and you can control your own encryption keys in Azure Key Vault. Moreover, access to your data isn't needed to resolve most customer support requests. Microsoft engineers rely heavily on logs to provide customer support. As described in Insider data access section, Azure has controls in place to restrict access to your data for support and troubleshooting scenarios should that access be necessary. For example, Just-in-Time (JIT) access provisions restrict access to production systems to Microsoft engineers who are authorized to be in that role and were granted temporary access credentials. As part of the support workflow, Customer Lockbox puts you in charge of approving or denying access to your data by Microsoft engineers. When combined, these Azure technologies and processes (data encryption, JIT, and Customer Lockbox) provide appropriate risk mitigation to safeguard confidentiality and integrity of your data. 2ff7e9595c
Comments